The current password hashing strategy is based on the SHA-512 algorithm. OWASP as of 2018-01-08 recommends
the usage of stronger algorithms, for this case you can use the PBKDF2 strategy (OWASP recommendation).

Warning

If you already have a running application switching the strategies will make break your existing
passwords, so you will need to migrate the passwords from one algorithm to the second.

If you want to override this behaviour you can do so by providing an alternative hash strategy and setting it with
setHashStrategy.

Warning

It is advised to always store your passwords as hashes in your database tables which have been created
with a salt which should be stored in the row too. A strong hashing algorithm should be used. It is strongly advised
never to store your passwords as plain text.

Hashing passwords

Like any application there will be a time where you need to store new users into the database. Has you have learn
passwords are not stored in plain text but hashed according to the hashing strategy. The same strategy is required
to hash new password before storing it to the database. Doing it is a 3 step task.

Hashing user password with salt can be not enough, this approach his good enough for avoiding rainbow tables
attacks or precomputed table attacks but if the attacker gets the database it will be easier to setup a brute force
attack. This kind of attack is slower but all required information is given: the hash and the salt.

To make the hash attack more complex the default strategy allows you to provide an application level list of nonces
to be used in the computation. This list should not be stored in the database since it add an extra variable to the
computation that is unknown, making the brute force attack as potentially the only way to crack the hash. You might
want to refresh the nonces now and then so you should add and never remove entries to the list, for example:

auth.setNonces([
"random_hash_1",
"random_hash_1"
]);

In order to decode there is no change required to the code, however to generate a new user you must specify which
nonce (by it’s index) you want to use. If you look at the previous example, the usage is quite similar:

Authorisation - Permission-Role Model

Although Vert.x auth itself does not mandate any specific model of permissions (they are just opaque strings), this
implementation assumes a familiar user/role/permission model, where a user can have zero or more roles and a role
can have zero or more permissions.

If validating if a user has a particular permission simply pass the permission into.
isAuthorised as follows: